+1 (208) 254-6996 [email protected]

Table 3-7 describes the risk levels shown in the above matrix. This risk scale, with its ratings of High, Medium, and Low, represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exercised. The risk scale also presents actions that senior management, the mission owners, must take for each risk level.

Table 3-7. Risk Scale and Necessary Actions

Don't use plagiarized sources. Get Your Custom Essay on
Risk Scale and Necessary Actions
Just from $13/Page
Order Essay

Risk Level

Risk Description and Necessary Actions

High If an observation or finding is evaluated as a high risk, there is a strong need for corrective measures. An existing system may continue to operate, but a corrective action plan must be put in place as soon as possible.

Medium If an observation is rated as medium risk, corrective actions are needed and a plan must be developed to incorporate these actions

within a reasonable period of time.

Low If an observation is described as low risk, the system’s DAA must determine whether corrective actions are still required or decide to

accept the risk.

Output from Step 7Risk level (High, Medium, Low)

8 If the level indicated on certain items is so low as to be deemed to be “negligible” or non significant (value is <1

on risk scale of 1 to 100), one may wish to hold these aside in a separate bucket in lieu of forwarding for management action. This will make sure that they are not overlooked when conducting the next periodic risk assessment. It also establishes a complete record of all risks identified in the analysis. These risks may move to a new risk level on a reassessment due to a change in threat likelihood and/or impact and that is why it is critical that their identification not be lost in the exercise.



SP 800-30 Page 26


During this step of the process, controls that could mitigate or eliminate the identified risks, as appropriate to the organization’s operations, are provided. The goal of the recommended controls is to reduce the level of risk to the IT system and its data to an acceptable level. The following factors should be considered in recommending controls and alternative solutions to minimize or eliminate identified risks:

• Effectiveness of recommended options (e.g., system compatibility)

• Legislation and regulation

• Organizational policy

• Operational impact

• Safety and reliability.

The control recommendations are the resul

Order your essay today and save 10% with the discount code ESSAYHELP